From: Florian Westphal <fw@strlen.de>
To: Antonio Ojea <aojea@google.com>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [PATCH nf] kselftest: add test for nfqueue induced conntrack race
Date: Wed, 18 Sep 2024 17:49:31 +0200 [thread overview]
Message-ID: <20240918154931.GA18635@breakpoint.cc> (raw)
In-Reply-To: <CAAdXToTGaNiwNDViMpRxoz5=YZkH-bu6rtO5_6xmkvN7s1nW2w@mail.gmail.com>
Antonio Ojea <aojea@google.com> wrote:
> > + # This is because nfqueue will delay packet for long enough so that
> > + # second packet will not find existing conntrack entry.
>
> for my own education,
> will both packets use the same tuple and get a different dnat destination?
> if both packets are enqueued for one second , -d option is
> milliseconds, why the conntrack entry will not exist?
The conntrack entry is inserted into hash table as last
step of postrouting. As packet is held my nf_queue, this
insertion is delayed and when second packet arrives it will get
its own conntrack entry allocted.
Due to numgen+dnat combo, it gets its DNAT'd to a different
address.
There is extra code in conntrack to handle this case, source
tuple is the same, reverse tuple is not (because of conflicting
NAT). This rather dns-specific hack inserts both entries, the
colliding (second) entry is only inserted in the reply
direction, where we can map reply packet back to originating
socket.
If client sends more packets, they only match the initial/first
conntrack entry.
prev parent reply other threads:[~2024-09-18 15:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-18 13:16 [PATCH nf] kselftest: add test for nfqueue induced conntrack race Florian Westphal
2024-09-18 15:08 ` Antonio Ojea
2024-09-18 15:49 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240918154931.GA18635@breakpoint.cc \
--to=fw@strlen.de \
--cc=aojea@google.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).